Solved: What is the best way to figure out if a configurat...

muebel · ‎07-01-2010

If I make a change to a view in an app, I can activate that change by reloading the app. If I make a change to the savesearch.conf at the system level, it requires a splunk restart before the change takes effect.

Is there a simple and short way of knowing when a configuration change will go into effect? On reload of a view? On reload of server? etc?

Chris_R_ · ‎07-01-2010

The rule of thumb we go by is usually anything that affects indexing level changes require a splunk restart, while search level changes require a reload. Here's a good guideline on how to determine which is which.
http://www.splunk.com/base/Documentation/latest/admin/Indextimeversussearchtime

So index creation or settings modifications, props.conf timestamp extractions, or transforms.conf indexed field modifications as well as most .conf manual changes will require a restart.

If you make changes with $SPLUNK_HOME/bin/splunk CLI changes or within the UI, it wont require a restart.(unless of course you get prompted for a restart)

View solution in original post

Chris_R_ · ‎07-01-2010

The rule of thumb we go by is usually anything that affects indexing level changes require a splunk restart, while search level changes require a reload. Here's a good guideline on how to determine which is which.
http://www.splunk.com/base/Documentation/latest/admin/Indextimeversussearchtime

So index creation or settings modifications, props.conf timestamp extractions, or transforms.conf indexed field modifications as well as most .conf manual changes will require a restart.

If you make changes with $SPLUNK_HOME/bin/splunk CLI changes or within the UI, it wont require a restart.(unless of course you get prompted for a restart)

What is the best way to figure out if a configuration change will require a splunk restart?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes